Popular WordPress plugin maker WPML said their website was hacked over the weekend. The culprit was an ex-employee who exploited a backdoor planted on an unsecured web server. The incident led to the loss of customer data to include names and emails.
WPML enables websites to run multilingual and runs on approximately 600,000 websites, according to WPML.org.
The WordPress Multilingual Plugin (WPML) warned of the breach on Sunday and said the website had to be fully rebuilt from scratch.
“Many of our clients received very distressing emails about an exploit on WPML plugin. This email was sent from an intruder who got into our site and used our mailer. Obviously, that message was not sent from us. If you received such an email, please delete it. Following links in hacked emails can cause additional problems,” WPML noted in the announcement.
One user asked if an email sent from “WPML Updates ” and Subject “WPML Warning” was an official WPML email or from a hacker.
Amir Helzer of WPML responded that the email was indeed from a hacker, but also confirmed the plugin was not exploited.
“Our site was hacked not from an exploit in our plugin, but from a doorway that was left in our server. The hacker did not modify WPML code and did not inject security holes into it,” Helzer commented.
Helzer also wrote the backdoor was likely planted by a previous employee. The hack was exploited by insider information (old SSH password and hole left on web server), but not any vulnerability in WordPress or plugin code.
WPML further noted that two-factor authentication (2FA) protection was also added to admin access. The web server’s access to the file system was also minimized.
Finally, WPML confirmed that the WPML plugin running on customers’ sites did not contain this exploit and no payment information was compromised.
Customers are also advised to login to WPML.org to change your password, as the intruder likely has your name, email and could gain access to your account.
This breach highlights the need to carefully control privileged, local accounts and passwords on servers. 2FA can also add strong security for remote access to websites or servers that host sensitive information. Organizations should monitor systems for unauthorized accounts/changes on systems and manage privileged accounts through a centralized identity and access management system.
Access for insiders should also be immediately removed after they leave the company.